Phpmailer Security Vulnerabilities and Issues — Phpmailer CVE List

Lucene search

Phpmailer ProjectPhpmailer

10 matches found

CVE•added 2018/11/16 9:29 a.m.•698 views

CVE-2018-19296

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

8.8CVSS8.6AI score0.01227EPSS

CVE•added 2021/04/28 3:15 a.m.•513 views

CVE-2020-36326

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in saf...

9.8CVSS8.7AI score0.01809EPSS

CVE•added 2016/12/30 7:59 p.m.•507 views

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property.

9.8CVSS9.8AI score0.94366EPSS

CVE•added 2016/12/30 7:59 p.m.•262 views

CVE-2016-10045

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE:...

9.8CVSS10AI score0.94366EPSS

CVE•added 2020/06/08 5:15 p.m.•231 views

CVE-2020-13625

PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

7.5CVSS7.3AI score0.02624EPSS

CVE•added 2017/01/16 6:59 a.m.•113 views

CVE-2017-5223

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base dir...

5.5CVSS5.4AI score0.08899EPSS

CVE•added 2021/06/16 6:15 p.m.•100 views

CVE-2021-34551

PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.

8.1CVSS8.2AI score0.02108EPSS

CVE•added 2021/06/17 12:15 p.m.•98 views

CVE-2021-3603

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the g...

8.1CVSS7.9AI score0.00487EPSS

CVE•added 2017/07/20 11:29 p.m.•88 views

CVE-2017-11503

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.

6.1CVSS6AI score0.00643EPSS

CVE•added 2015/12/16 9:59 p.m.•78 views

CVE-2015-8476

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulne...

5CVSS9.6AI score0.00948EPSS